rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters
- Severity:
- Medium
Description
When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code.
Users who access the deliberately constructed URL are affected.
Recommendation
Update the rsshub package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.0.0-master.c910c4d
- Patched version(s): 1.0.0-master.c910c4d
References
Related Issues
- jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin - CVE-2025-9910
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- Tags:
- npm
- rsshub
Anything's wrong? Let us know Last updated on March 13, 2023